annex a governance group members - bba | the … · annex a – governance group members ... hakan...
TRANSCRIPT
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 1
Waking Shark II Desktop Cyber Exercise Report Appendices
Annex A – Governance Group members
Steering Group
John Milne Bank of England (Co-Chair)
Malcolm Brooke Credit Suisse (Co-Chair)
Sharon Wallis Bank of England
Simon Onyons FCA
Heather Kempton HM Treasury
Nick Fuller SIBCMG Co-Chair / Credit Suisse
Nick Godfrey IBSIG Chair / Goldman Sachs
Gayle Hedgecock Payments Council
Michael Roberts OCSIA
Alan Campbell Infrastructure Providers
Andrew Rogan British Bankers Association
Chris Keeling Keystone Resilience
Scenario Design Group
Nick Godfrey Goldman Sachs (Chair)
Angus Burden JPMorgan
Chris Joy Nomura
Carlton Cristie JPMorgan
Jason Mallinder Credit Suisse
Hakan Lucas RBS
David Cripps Investec
Allan Campbell LCH Clearnet
Paul Griffiths Morgan Stanley
Orhan Moye BNP Paribas
Alan Stockey FS-ISAC
Raj Samani McAfee
Ashley Jellyman BT
Phil Huggins Detica
Ben Lindgreen Payments Council
Rich Bennett (Secretariat) FSIE
Simon L CSOC
Chris Da CPNI
Roz Horton Bank of England
Nick P CPNI
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 2
Waking Shark II Desktop Cyber Exercise Report Appendices
Jagesh Thakkar FCA
Nathan Bird SIBCMG
John Synge SIBCMG
Ian Wellings SIBCMG
Ian Dowglass Euroclear UK & Ireland
Susanne Gahler FCA
Freddie Hult Bank of England
Brian Janganant LSE Etienne DeBurgh HSBC Matt Steel Thomson Reuters
Carric Dooley McAfee
Planning & Facilitation Group
Nick Fuller Credit Suisse (Chair)
Sharon Wallis Bank of England (alt Chair)
Lauren Earls Bank of England
Nick Emery Citibank N.A.
Nathan Bird Goldman Sachs
Ian Wellings JPMorgan
John Synge Morgan Stanley
Leila Gomes Nomura
Kelly Orvis Barclays plc
Ian Dowglass Euroclear UK & Ireland
Chris Keeling Keystone Resilience
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 3
Waking Shark II Desktop Cyber Exercise Report Appendices
Annex B – Participant organisations
Wholesale Banks
Bank of America / Merrill Lynch
Barclays plc
BNP Paribas UK Ltd
Citibank N.A.
Credit Suisse
Deutsche Bank Group
Goldman Sachs International
HSBC Bank plc
JPMorgan
Morgan Stanley
Nomura International plc
Royal Bank of Scotland Group
Société Générale
UBS Investment Bank
Financial Market Infrastructure
CHAPS Co Ltd
CLS Services
Euroclear UK & Ireland
LCH Clearnet
London Stock Exchange
SWIFT
Authorities
Bank of England, including Prudential Regulation Authority
Financial Conduct Authority
HM Treasury
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 4
Waking Shark II Desktop Cyber Exercise Report Appendices
Supporters/Experts
Bank of England (Sterling Markets Division)
British Bankers Association
British Telecom (BT)
Centre for Protection of National Infrastructure (CPNI)
Crisis Guardian
Cyber Security Operations Centre (CSOC)
Debt Management Office (DMO)
Office of Cyber Security & Information Assurance (OCSIA)
Payments Council
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 5
Waking Shark II Desktop Cyber Exercise Report Appendices
Annex C – Exercise Development and Approach
Planning
The planning for the exercise was led by representatives from the member firms of the SIBCMG with support from the UK Financial Authorities, other financial sector organisations, and specialists from government and other key suppliers to the sector.
A Steering Group led by Credit Suisse and the Bank of England provided overall governance and oversight for the development and delivery of the exercise with the detailed scenario design being undertaken by a Scenario Design Group (SDG) led by Goldman Sachs, and the delivery co-ordinated by a Planning and Facilitation Group (PFG) led by Credit Suisse. The members of all three groups were drawn from the member firms of SIBCMG, the Authorities and supporting organisations.
Exercise planning commenced in May 2013 with detailed project plans being produced for the scenario design and delivery. A risk log was maintained throughout the process to ensure that risks were understood and mitigating actions applied as required. In particular, it was identified that a formal rehearsal should be undertaken at the venue to test all the technology that would be used on the day of the exercise and to provide each of the participants’ facilitators with a detailed briefing.
Enhancements over Waking Shark I
The Waking Shark II exercise design included the following enhancements compared to the first Waking Shark exercise held in March 2011. Specifically these included:
Dynamic interaction with individual firms being given both general and specific impacts to respond to throughout the day.
A longer half-day exercise to allow for a more in depth scenario, analysis and discussion. The exercise commenced at 12:30pm and completed at 5pm.
Involvement of a greater number of Firm experts through enlarged teams with up to eight representatives (five business and three technical).
Greater expert involvement in both the design and execution of the scenario. The exercise control team included a number of experts from both participating firms and supporting organisations, all of whom had been involved in the design of the scenario. CPNI provided expert guidance on the provision and use of the CISP platform and supported the platform during the exercise.
Provision of the CISP platform allowed for real-time sharing of cyber threat information between the participating firms.
Simulated media involvement to more accurately reflect the challenges experienced. A specialist organisation was engaged to develop high quality media input and firms were invited to bring a member of their communications team to the exercise.
Greater engagement with critical infrastructure providers. Key Financial Market Infrastructure organisations played in the exercise and provided information as to their status throughout.
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 6
Waking Shark II Desktop Cyber Exercise Report Appendices
Authorities’ involvement and participation using the new regulatory structure. The Bank of England, including the Prudential Regulatory Authority, the Financial Conduct Authority, and HM Treasury were all represented during the exercise.
The exercising of CMBCG in its role as strategic coordination forum for wholesale market disruption.
The scenario also included lessons learned and demonstrated progress based on Waking Shark I and MWE 2011 findings.
Delivery
As shown below, the exercise took place over three phases separated by electronic voting and discussion. Each phase had specific objectives aligned to the overall exercise objectives.
The exercise was delivered by a facilitation team and an Exercise Control group comprising members of the SDG and other experts. The facilitation team comprised a ‘lead’ facilitator who led the session and was supported by additional facilitators who supported the participants in answering questions regarding the exercise and the scenario.
The exercise information was delivered to the participants by way of paper injects that contained details of the events that the firm was experiencing at that time, and supporting media injects.
The paper injects were provided to each table in three envelopes as follows:
Envelope 1 – Phase 1 containing Tranche 1 (Tuesday 17 December 3pm) and Tranche 2 (Tuesday 17 December 6pm).
Envelope 2 – Phase 2 containing Tranche 3 (Wednesday 18 December 6am) and Tranche 4 (Wednesday 18 December 12pm).
Forms – containing an Action Log that each Participant was encouraged to complete, MIDAS forms that were requested by the Authorities at key points in the exercise, ‘Question’ and ‘Announcement’ cards that could be used to signal a question for the facilitators or announcement to the group, and a Feedback form for completion at the end of the exercise.
Media injects were delivered at various stages in the exercise. The exercise began with a televised media montage that ‘set the scene’. At the end of Phase 1 a televised 10 o’clock News Bulletin was aired and at the end of Phase 2, a televised 3 o’clock News Bulletin was aired to simulate the reaction of the press to the unfolding events. Additional media injects
Real time 12:30 13:00 13:20 13:40 14:00 14:20 14:50 15:10 15:30 15:50 16:15 16:40 17:00
Item Introduction &
Scenario Background
Inject tranche
1 E-voting
Inject tranche
2 E-voting
Break and “level
set
Inject tranche
3 E-voting
Inject tranche
4 E-voting CMBCG
Meeting CMBCG update
and “level set”
Group Discussion (Return to BAU)
Exercise time
15:00 Tues
18:00 Tues
06:00 Wed
12:00 Wed
Objectives
PHASE 1
Demonstrate information sharing between
firms via CISP Exercise firm responses to cyber incidents
PHASE 2
Demonstrate information sharing between firms and between firms and regulators
PHASE 3
Evidence
CMBCG coordination role
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 7
Waking Shark II Desktop Cyber Exercise Report Appendices
comprising Twitter and Web pages were delivered during the mid exercise comfort break and during the CMBCG meeting.
During the exercise, each participant team was coordinated by a table facilitator who was responsible for opening the envelopes and providing the inject tranche to their teams when asked to do so by the exercise facilitator. The participants were then given between 20 minutes and half an hour to discuss the impact to their firm resulting from the injects and interact with the other participants (including Firms, the FMIs and the UK Financial Authorities) as appropriate. In addition, information could be posted to the CISP platform that provided all participants with an overview of the developing cyber-attack.
Specific questions about the scenario could be directed to the facilitators who could call on the expertise of the Exercise Control Group if required.
The discussion was followed by a number of electronic voting questions where each participant was asked to select one or multiple answers to questions posed by the lead facilitator. The responses were then presented and discussed.
Following the first four exercise sections there was a final Phase (Phase 3) that comprised a meeting of the CMBCG to consider the overall market impact and response, followed by a final set of electronic voting questions. The formal exercise then closed and a final general discussion was led by the lead facilitator to summarise the issues identified and receive comment from the participants.
The exercise was closed by the UK Financial Authorities and each firm and the observers were invited to complete a feedback form prior to leaving the event.
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 8
Waking Shark II Desktop Cyber Exercise Report Appendices
Annex D – Participant voting results
Phase 1: Tranche 1 Question 1: Based on information you have received since the start of the exercise, which of the following is closest to your understanding of the current status?
Question 2: Describe the level of impact to your organisation and its ability to service stakeholders (clients) at this stage.
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 9
Waking Shark II Desktop Cyber Exercise Report Appendices
Phase 1: Tranche 2 Question 3: Which of the following DDoS mitigants have you deployed?
Question 4: Describe the level of impact to your organisation and its ability to service stakeholders (clients) at this stage.
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 10
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 5: Which of the following internal communications and escalations have been initiated by this stage?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 11
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 6: Which of the following external communications and escalations have been initiated by this stage?
Question 7: What decisions have you made regarding key overnight processing (for example for collateral/margin, risk and PnL calculations)?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 12
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 8: Have you requested a sector group meeting at this stage?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 13
Waking Shark II Desktop Cyber Exercise Report Appendices
Phase 2: Tranche 3 Question 9: What activities are you undertaking to manage risk given the overnight pricing issues?
Question 10: Describe the severity of the funding and liquidity concerns caused by the LCH issue at this stage.
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 14
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 11: What activities are you undertaking to manage risk given the LCH issues?
Question 12: Which of the following internal communications and escalations have been initiated by this stage?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 15
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 13: Which of the following external communications and escalations have been initiated by this stage?
Question 14: Not asked
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 16
Waking Shark II Desktop Cyber Exercise Report Appendices
Phase 2: Tranche 4 Question 15: Describe the severity of the funding and liquidity concerns caused by the LCH issue at this stage?
Question 16: What activities are you undertaking to manage risk given the LCH issues?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 17
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 17: Describe the impact of the payments issues at this stage
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 18
Waking Shark II Desktop Cyber Exercise Report Appendices
Question 18: What options are you considering to deal with the payments disruption?
Question 19: Have you requested a CMBCG meeting at this stage?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 19
Waking Shark II Desktop Cyber Exercise Report Appendices
Phase 3 Question 20: What is your best estimate of when you expect to be able to return to BAU?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 20
Waking Shark II Desktop Cyber Exercise Report Appendices
Annex E – Participant Feedback
Exercise Objectives Question 1: Do you feel the exercise was successful in meeting its objectives?
Objective 1: Assess whether firms had adopted the feedback and lessons learnt from Waking Shark I.
Objective 2: Exercise communication and information flows between firms, and between firms and regulators, during a cyber-attack.
Objective 3: Improved understanding of the impact of a cyber-attack on the financial sector and how the sector should respond, as identified by the 2011 Market Wide Exercise.
Question 2: Did you identify any issues with communications and information sharing between firms or regulators?
PROTECT [IL1]
Desktop cyber exercise – 12 November 2013 21
Waking Shark II Desktop Cyber Exercise Report Appendices
Exercise Delivery Question 1: Do you feel the exercise was well organised and delivered (inc. pre-event briefings)?
Question 2: Was the format successful in facilitating engagement and interactive discussions?
Question 3: Did your team find the scenario sufficiently challenging?